Disaster recovery for systems typically focuses on making alternative processes and resources available for transaction processing. A disaster recovery plan (DRP) should reduce the length of recovery time necessary and also the costs associated with recovery. Proper planning will mitigate the risk and impact of a major business interruption. Although DRP results in an increase of pre- and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. A disaster can be classified as a disruption that causes critical information resources to be inoperative for a period of time, adversely affecting business operations. Business continuity plans (BCP) are the result of a process of plan creation to ensure that critical business functions can withstand a variety of emergencies. Disaster-recovery plans deal with the immediate restoration of the organization's business systems while the business continuity plan also deals with the long-term issues before, during, and after the disaster. The BCP should include getting employees to the appropriate facilities; communicating with the public, partners, and customers; and making the transition from emergency recovery back to normal operations. The DRP is a part of the BCP and is the responsibility of senior management. A disaster can be caused by naturally occurring events such as floods, tornadoes, fire, or earthquakes, but it can include anything that causes disruption to information processing. Other types of disasters include loss of electrical power or telecommunications, or direct or indirect attacks on the organization's systems or facilities (such as a terrorist attack or hacking). These are the attributes of a disaster:
According to the United Nation's International Decade for Natural Disasters Reduction, natural disasters kill one million people around the world each decade and leave millions more homeless each year. In addition, economic damages from natural disasters have tripled in the past 30 years, rising from $40 billion in the 1960s to $120 billion in the 1980s. In the past year, more than a dozen worldwide disasters have caused billion-dollar losses. Table 5.1 provides a snapshot of the costs resulting from natural disasters from 1983 to 1994.
During the initiation of the business continuity planning process, the BCP team should prepare for a meeting with senior management to define the project goals and objectives, present the project schedule, and review the proposed interview schedule (resources required). In preparation for this meeting, the BCP team should do the following:
Per ISACA, the business continuity planning process can be divided into the following phases:
The development of an effective business-continuity plan will take all threats (disasters) into account during development. Some of these threats might affect systems only for minutes or hours, but the plan should include recovery from these events as well. The recovery might be simply restoring data from backups or moving personnel and equipment to a new facility to continue business operations. |